Touch up a number of formating issues for XDG_RUNTIME_DIRS in a number
of man pages. Make use of the XDG_CONFIG_HOME environment variable
in a rootless environment if available, or set it if not.
Also added a number of links to the Rootless Podman config page and
added the location of the auth.json files to that doc.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
fix#3609
Podman import used to check filename to only allow tarball path as a file. It should also allow an url as the doc mentioned. This PR allows the program to continue if the input is a valid URL
Signed-off-by: Qi Wang <qiwan@redhat.com>
There's no way to get the error if we successfully get an exit code (as it's just printed to stderr instead).
instead of relying on the error to be passed to podman, and edit based on the error code, process it on the varlink side instead
Also move error codes to define package
Signed-off-by: Peter Hunt <pehunt@redhat.com>
clean up some final linter issues and add a make target for
golangci-lint. in addition, begin running the tests are part of the
gating tasks in cirrus ci.
we cannot fully shift over to the new linter until we fix the image on
the openshift side. for short term, we will use both
Signed-off-by: baude <bbaude@redhat.com>
This includes:
Implement exec -i and fix some typos in description of -i docs
pass failed runtime status to caller
Add resize handling for a terminal connection
Customize exec systemd-cgroup slice
fix healthcheck
fix top
add --detach-keys
Implement podman-remote exec (jhonce)
* Cleanup some orphaned code (jhonce)
adapt remote exec for conmon exec (pehunt)
Fix healthcheck and exec to match docs
Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error
Use these different errors in branching for exit code in healthcheck and exec
Set conmon to use new api version
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Close#3553
This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang <qiwan@redhat.com>
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Docker CLI calls the healthcheck flags "--health-*", instead of
"--healthcheck-*".
Introduce the former, in order to keep compatibility, and alias
the later, in order to avoid breaking current usage.
Change "--healthcheck-*" to "--health-*" in the docs and tests.
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
If the image was built with "HEALTHCHECK NONE" then we should create a
container without healthcheck configuration. Otherwise executing the
healthcheck on the container will return "unhealthy" instead of the
correct error message that the container doesn't have a healthcheck.
We also ignore the healthcheck configuration if the command list is
empty or the command string is empty.
Fixes#3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
If the image doesn't provide any options, e.g. interval, timeout, etc.,
then apply the Docker defaults when creating the container. Otherwise
the defaults will be left 0 and podman doesn't schedule the healtcheck
service & timer for the container or incorrectly reports unhealthy state
when the check is executed.
Fixes#3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
Fix Docker CLI compatibility issue: the "--healthcheck-command" option
value should not be split but instead be passed as single string to
"CMD-SHELL", i.e. "/bin/sh -c <opt>".
On the other hand implement the same extension as is already available
for "--entrypoint", i.e. allow the option value to be a JSON array of
strings. This will make life easier for tools like podman-compose.
Updated "--healthcheck-command" option values in tests accordingly.
Continuation of #3455 & #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
This flag passes the host environment into the container. The basic idea is to
leak all environment variables from the host into the container.
Environment variables from the image, and passed in via --env and --env-file
will override the host environment.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The newly added functionality to include the container's root
file-system changes into the checkpoint archive can now be explicitly
disabled. Either during checkpoint or during restore.
If a container changes a lot of files during its runtime it might be
more effective to migrated the root file-system changes in some other
way and to not needlessly increase the size of the checkpoint archive.
If a checkpoint archive does not contain the root file-system changes
information it will automatically be skipped. If the root file-system
changes are part of the checkpoint archive it is also possible to tell
Podman to ignore these changes.
Signed-off-by: Adrian Reber <areber@redhat.com>
When the user uses remote client, the message prompts the user to use `podman-remote`. This does not apply for Mac usage.
Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
when not using --size with ps, we do not need a store. this should make
ps more effecient when the system is under heavy load.
also, prune unused ps functions as no longer needed.
Signed-off-by: baude <bbaude@redhat.com>
Previously, when pause & unpause were run on rootless, the error message that pause was unsupported for rootless was not being thrown. When running remote, even if remote host was root, unsupported rootless error was being thrown.
Now, the error shows up when appropriate.
Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
some podman commands do not require the use of a container/image store.
in those cases, it is more effecient to not open the store, because that
results in having to also close the store which can be costly when the
system is under heavy write I/O loads.
Signed-off-by: baude <bbaude@redhat.com>
at least on Fedora 30 it creates the /run/user/UID directory for the
user logged in via ssh.
This needs to be done very early so that every other check when we
create the default configuration file will point to the correct
location.
Closes: https://github.com/containers/libpod/issues/3410
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This fixes some of our handling of images which have no layers, i.e.,
those whose TopLayer is set to an empty value.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
With StringSlice, we're seeing individual options added and
parsed separately, so `tmpfs:nosuid,nodev` turns into three tmpfs
mounts passed into pkg/sec (tmpfs:, nosuid, nodev). Swap to
StringArray to tell cobra this can't be split on commas.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When Host IP is not set in podman-remote.conf, error is printed out.
When Username is not set in podman-remote.conf, default username is used.
Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
the compilation demands of having libpod in main is a burden for the
remote client compilations. to combat this, we should move the use of
libpod structs, vars, constants, and functions into the adapter code
where it will only be compiled by the local client.
this should result in cleaner code organization and smaller binaries. it
should also help if we ever need to compile the remote client on
non-Linux operating systems natively (not cross-compiled).
Signed-off-by: baude <bbaude@redhat.com>
This provides backwards compatability with 1.4.0-1.4.2 releases
which name .Source and .Destination as .Src and .Dst - useful for
not breaking toolbox.
Also add a test.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The man page of 'podman diff' claims that the diff sub-command knows
about --latest, -l. This adds support, as described in the man-page, to
the diff sub-command for --latest, -l.
Signed-off-by: Adrian Reber <areber@redhat.com>
Four of the healthcheck tests were completely broken. They
were written with the option '--healthcheck-cmd' which is
not an option (it should be '--healthcheck-command', with
'command' as a full word). The tests were merely checking
exit code, not error message, so of course they failed.
I have fixed the command line and added checks for the
expected diagnostic.
(Side note: do not write tests that check exit code but
nothing else. This should not need to be said).
One of the four tests was invalid: --healthcheck-interval 0.5s.
Per Brent:
initially i was going to restrict sub one-second intervals
That test has been removed. It would probably be a good idea
for a future PR to add some validation such as preventing
negative values, but that's left as an exercise for later.
Also: grammar fix in an error message.
Caught by my ginkgo log greasemonkey script, which
highlights 'Error' messages and grabbed my attention.
Signed-off-by: Ed Santiago <santiago@redhat.com>
While we're at it, rewrite how we populate it. There were several
potential segfaults in the optional spec.Process block, and a few
fields not being populated correctly versus 'docker inspect'.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Logging messages from the dependency libraries should not log onto the
screen when using the remote client. This patch writes logging to
~/.config/containers/podman-remote.log
Fixes#3299
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Appropriate changes were applied to the file
cmd/podman/varlink/io.podman.varlink, in order to make changes in API.md
persistent.
Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
Currently we report cgroupmanager default as systemd, even if the user modified
the libpod.conf. Also cgroupmanager does not work in rootless mode. This
PR correctly identifies the default cgroup manager or reports it is not supported.
Also add homeDir to correctly get the homedir if the $HOME is not set. Will
attempt to get Homedir out of /etc/passwd.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
StringSliceVar was distorting options. StringArrayVar seems to
not mangle them, so use that instead.
Thanks to Giuseppe for finding this one.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This flag switches to removing containers directly from c/storage
and is mostly used to remove orphan containers.
It's a superior solution to our former one, which attempted
removal from storage under certain circumstances and could, under
some conditions, not trigger.
Also contains the beginning of support for storage in `ps` but
wiring that in is going to be a much bigger pain.
Fixes#3329.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We made changes earlier that empty storage options when setting
storage driver explicitly. Unfortunately, this breaks rootless
cleanup commands, as they lose the fuse-overlayfs mount program
path.
Fix this by passing along the storage options to the cleanup
process.
Also, fix --syslog, which was broken a while ago (probably when
we broke up main to add main_remote).
Fixes#3326
Signed-off-by: Matthew Heon <mheon@redhat.com>
This way a tool can determine if the container exists or not, but is in the
wrong state.
Since 126 is documeted as:
**_126_** if the **_contained command_** cannot be invoked
It makes sense that the container would exit with this state.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This allows writing output directly to a file, instead of STDOUT.
Makes things easier for some scripting tasks. Like the unit tests
for 'play kube'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
I took the liberty of combining related checks together
so as to avoid a little duplication; if this is not a
Go best practice, I will revert. I also made a minor
wording adjustment to an error message for clarity.
Also: update wording of man page.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Various small fixes to get BATS tests working again.
Split from #2947 because that one keeps getting stalled,
and I'm hoping these separate changes get approved.
I consider these changes urgent because RHEL8 gating
tests are failing, and will fail even more if/when #2272
gets picked up and packaged for RHEL8, and I consider
it important to have clean passing tests for RHEL8.
* info test: 'insecure registries' is gone. A recent
commit (d1a7378aa) changed the format of 'podman info',
removing the 'insecure registries' key. Deal with it.
* info test: remove check for .host.{Conmon,OCIRuntime}.package;
the value on f28 and f29 is 'Unknown' (instead of an NVR).
We can live without this check.
* 'load' test: skip when running in CI, because stdin
is not a tty.
* container restore: fix arg processing. #2272 broke argument
processing: 'podman container restore', with no args, should
exit with 'argument required' error. Root cause is that the
new --import option takes the place of an argument, so the
checkAllAndLatest() call had to be changed to not exit on error.
Workaround is (sigh) to copy/paste the skipped checkAllAndLatest()
code, with minor tweaks to accommodate --import.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The storage driver and the storage options in storage.conf should
match, but if you change the storage driver via the command line
then we need to nil out the default storage options from storage.conf.
If the user wants to change the storage driver and use storage options,
they need to specify them on the command line.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The option to restore a container from an external checkpoint archive
(podman container restore -i /tmp/checkpoint.tar.gz) restores a
container with the same name and same ID as id had before checkpointing.
This commit adds the option '--name,-n' to 'podman container restore'.
With this option the restored container gets the name specified after
'--name,-n' and a new ID. This way it is possible to restore one
container multiple times.
If a container is restored with a new name Podman will not try to
request the same IP address for the container as it had during
checkpointing. This implicitly assumes that if a container is restored
from a checkpoint archive with a different name, that it will be
restored multiple times and restoring a container multiple times with
the same IP address will fail as each IP address can only be used once.
Signed-off-by: Adrian Reber <areber@redhat.com>
This commit adds an option to the checkpoint command to export a
checkpoint into a tar.gz file as well as importing a checkpoint tar.gz
file during restore. With all checkpoint artifacts in one file it is
possible to easily transfer a checkpoint and thus enabling container
migration in Podman. With the following steps it is possible to migrate
a running container from one system (source) to another (destination).
Source system:
* podman container checkpoint -l -e /tmp/checkpoint.tar.gz
* scp /tmp/checkpoint.tar.gz destination:/tmp
Destination system:
* podman pull 'container-image-as-on-source-system'
* podman container restore -i /tmp/checkpoint.tar.gz
The exported tar.gz file contains the checkpoint image as created by
CRIU and a few additional JSON files describing the state of the
checkpointed container.
Now the container is running on the destination system with the same
state just as during checkpointing. If the container is kept running
on the source system with the checkpoint flag '-R', the result will be
that the same container is running on two different hosts.
Signed-off-by: Adrian Reber <areber@redhat.com>
Let's put inspect structs where they're actually being used. We
originally made pkg/inspect to solve circular import issues.
There are no more circular import issues.
Image structs remain for now, I'm focusing on container inspect.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
add the ability for the podman remote client to use a configuration file
which describes its connections. users can now define a connection the
configuration and then call it by name like:
podman-remote -c connection1
and the destination and user will be derived from the configuration
file. if no -c is provided, we look for a connection in the
configuration file designated as 'default'. If the configuration file
has only one connection, it will be deemed the 'default'.
Signed-off-by: baude <bbaude@redhat.com>
the warning can be confusing when used in rootless mode as the
unprivileged user has no way for setting it up.
Closes: https://github.com/containers/libpod/issues/2955
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Rootless containers can't be paused (no CGroups, so no freezer).
We could try and emulate this with a SIGSTOP to all PIDs in the
container, but that's inherently racy, so let's avoid it for now.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
'docker cp' is an alias for 'docker container cp', and podman should have the equivalent alias.
Signed-off-by: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line
Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
move the logic for joining existing namespaces down to the rootless
package. In main_local we still retrieve the list of conmon pid files
and use it from the rootless package.
In addition, create a temporary user namespace for reading these
files, as the unprivileged user might not have enough privileges for
reading the conmon pid file, for example when running with a different
uidmap and root in the container is different than the rootless user.
Closes: https://github.com/containers/libpod/issues/3187
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when podman cp tar without --extract flag, if the destination already exists, or ends with path seprator, cp the tar under the directory, otherwise copy the tar named with the destination
Signed-off-by: Qi Wang <qiwan@redhat.com>
it creates a namespace where the current UID:GID on the host is mapped
to the same UID:GID in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Log a warning when --security-opt and --privileged are used together to
indicate that it has no effect since --privileged will set everything.
To avoid regressions, only warn, do not error out and do not print on
error level.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Mark hidden all references to signature-policy
Default all uses of --authfile
Add --authfile support to podman run and podman create.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Mainly add support for podman build using --overlay mounts.
Updates containers/image also adds better support for new registries.conf
file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
use a pause process to keep the user and mount namespace alive.
The pause process is created immediately on reload, and all successive
Podman processes will refer to it for joining the user&mount
namespace.
This solves all the race conditions we had on joining the correct
namespaces using the conmon processes.
As a fallback if the join fails for any reason (e.g. the pause process
was killed), then we try to join the running containers as we were
doing before.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Refactor client code to break out building connection string from
making the connection.
Example:
client:
Connection: unix:/run/podman/io.podman
Connection Type: DirectConnection
.
:
Signed-off-by: Jhon Honce <jhonce@redhat.com>
define two environment variables, that simplify the task of cleaning
up the storage, as we can do something like:
podman unshare sh -c 'rm -rf $CONTAINERS_GRAPHROOT $CONTAINERS_RUNROOT'
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
TomSweeneyRedHat